| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 08 Apr 2014 21:06:55 +0200 From: Tim Schütt <schuett@...a-net.de> To: fulldisclosure@...lists.org Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 Nope, works also on other protocols like IMAPS. Am 08.04.2014 15:30, schrieb Chris Schmidt: > The bug is in the TLS implementation in OpenSSL, you will only see it on https > > Sent from my iPhone > >> On Apr 8, 2014, at 4:43 AM, "Nik Mitev" <nik@...ev.net> wrote: >> >> I used the tool Kirils linked (http://possible.lv/tools/hb/) and my >> unpatched servers running a Tor node or an Openvpn server returned >> correct (old) version of openssl but not vulnerable. >> Is it the bug or the tool that seems to be limited to https I wonder? >> >> Patched now so can't test with this tool... >> >> -----Original Message----- >> From: Fraser Scott <fraser.scott@...il.com> >> To: fulldisclosure@...lists.org >> Subject: Re: [FD] heartbleed OpenSSL bug CVE-2014-0160 >> Date: Tue, 8 Apr 2014 10:24:02 +0100 >> >> This seems to be the best test so far: >> >> http://s3.jspenguin.org/ssltest.py >> >> Other tests false-positive on patched versions from what I can see. >> >> >>> On 8 April 2014 01:10, Kirils Solovjovs <kirils.solovjovs@...ils.com> wrote: >>> >>> We are doomed. >>> >>> Description: http://www.openssl.org/news/vulnerabilities.html >>> Article dedicated to the bug: http://heartbleed.com/ >>> Tool to check if TLS heartbeat extension is supported: >>> http://possible.lv/tools/hb/ >>> >>> A missing bounds check in the handling of the TLS heartbeat extension >>> can be used to reveal up to 64kB of memory to a connected client or server. >>> >>> 1.0.1[ abcdef] affected. >>> >>> >>> P.S. Happy Monday! >>> >>> _______________________________________________ >>> Sent through the Full Disclosure mailing list >>> http://nmap.org/mailman/listinfo/fulldisclosure >>> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ >> >> _______________________________________________ >> Sent through the Full Disclosure mailing list >> http://nmap.org/mailman/listinfo/fulldisclosure >> Web Archives & RSS: http://seclists.org/fulldisclosure/ > _______________________________________________ > Sent through the Full Disclosure mailing list > http://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists